Communication apparatus having network communication function, control method for the communication apparatus, and storage medium

ABSTRACT

A communication apparatus having a communication function, which is capable of improving security while ensuring convenience in network communication using the ICMP Echo protocol. It is determined whether or not a source of a received packet is an apparatus lies in the same network as a network in which the communication apparatus is installed. According to the determination result, whether or not to respond to the received packet is judged based on one of a first judgment condition used in a case where the source lies in the same network as the network in which the communication apparatus is installed, and a second judgment condition used in a case where the source does not lie in the same network as the network in which the communication apparatus is installed. According to the judgment result, a response to the received packet is sent back.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to a communication apparatus having acommunication function, a control method for the communicationapparatus, and a computer-readable storage medium storing a program forimplementing the method, and more particularly to a network securitytechnique for a communication apparatus.

2. Description of the Related Art

Networking equipment installed with the TCP/IP protocol supports theICMP Echo protocol.

The ICMP Echo protocol is a simple protocol that transmits an ICMP EchoRequest packet to networking equipment at a transmission destination,and upon receiving this packet, the networking equipment sends back aresponse with an ICMP Echo Request packet.

The ICMP Echo protocol is generally used to check if communication withnetworking equipment at a transmission destination is possible, check ifcommunication paths present any problem, and measure the time forresponse from networking equipment at a transmission destination, and isused as a means for checking communication status.

Moreover, techniques using the ICMP Echo protocol as instructioncommands for networking equipment have been proposed.

For example, a technique that monitoring equipment creates a statisticalinformation header, and an ICMP Echo Request packet including thecreated statistical information header as a payload of ICMP Echo istransmitted to equipment to be monitored (Japanese Laid-Open PatentPublication (Kokai) No. 2005-286458).

According to this proposal, when the equipment to be monitored which hasreceived the ICMP Echo Request packet determines that a normalstatistical information header is stored, a network from whichstatistical information should be taken out is identified.

Then, the equipment to be monitored obtains statistical information froma storage device, writes the statistical information in a payload ofICMP Echo and sends back the same. Upon determining that normalstatistical information is stored in the payload of the sent-back ICMPEcho Reply, the monitoring equipment takes out the statisticalinformation and stores the same in a storage device. Therefore, ascompared to cases where SNMP is used, statistical information can becollected from a small-sized device having a small memory capacity atlower cost, and more statistical information can be collected.

However, when the ICMP Echo protocol is used, a malicious third partycan confirm the presence of networking equipment by issuing a Pingcommand or the like from an external network, and hence the ICMP Echoprotocol may be undesirable in terms of security for networkingequipment.

Moreover, a universal OS has a means for disabling an ICMP Echo Reply toan ICMP Echo Request so as to make it difficult to detect the presenceof networking equipment, but when an ICMP Echo Reply to an ICMP EchoRequest is disabled, it becomes impossible to check communication statusor the like.

SUMMARY OF THE INVENTION

The present invention provides a communication apparatus and a controlmethod for the communication apparatus, which are capable of improvingsecurity while ensuring convenience in network communication using theICMP Echo protocol, as well as a computer-readable storage mediumstoring a program for implementing the method.

Accordingly, a first aspect of the present invention provides acommunication apparatus comprising a receiving unit configured toreceive a packet, a determination unit configured to determine whether asource of the packet received by the receiving unit is an apparatuslying in the same network as a network in which the communicationapparatus lies, a judgment unit configured to, according to a result ofthe determination by the determination unit, judge whether to respond tothe packet received by the receiving unit based on one of a firstjudgment condition used in a case where the source lies in the samenetwork as the network in which the communication apparatus lies, and asecond judgment condition used in a case where the source does not liein the same network as the network in which the communication apparatuslies, and a response unit configured to, according to a result of thejudgment by the judgment unit, respond to the packet received by thereceiving unit.

Accordingly, a second aspect of the present invention provides a controlmethod for a communication apparatus, comprising a receiving step ofreceiving a packet, a determination step of determining whether a sourceof the packet received in the receiving step is an apparatus lying inthe same network as a network in which the communication apparatus lies,a judgment step of, according to a result of the determination in thedetermination step, judging whether to respond to the packet received inthe receiving step based on one of a first judgment condition used in acase where the source lies in the same network as the network in whichthe communication apparatus lies, and a second judgment condition usedin a case where the source does not lie in the same network as thenetwork in which the communication apparatus lies, and a response stepof, according to a result of the judgment in the judgment step,responding to the packet received in the receiving step.

Accordingly, a third aspect of the present invention provides acomputer-readable non-transitory storage medium storing a program forimplementing a control method for controlling a communication apparatus,the control method comprising a receiving step of receiving a packet, adetermination step of determining whether a source of the packetreceived in the receiving step is an apparatus lying in the same networkas a network in which the communication apparatus lies, a judgment stepof, according to a result of the determination in the determinationstep, judging whether to respond to the packet received in the receivingstep based on one of a first judgment condition used in a case where thesource lies in the same network as the network in which thecommunication apparatus lies, and a second judgment condition used in acase where the source does not lie in the same network as the network inwhich the communication apparatus lies, and a response step of,according to a result of the judgment in the judgment step, respondingto the packet received in the receiving step.

According to the present invention, security can be improved whileconvenience in network communication using the ICMP Echo protocol isensured.

Further features of the present invention will become apparent from thefollowing description of exemplary embodiments (with reference to theattached drawings).

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram schematically showing an exemplary arrangement of anetwork including an MFP which is a communication apparatus according toan embodiment of the present invention.

FIG. 2 is a block diagram schematically showing an exemplary arrangementof a controller unit in the MFP.

FIG. 3 is a diagram schematically showing an exemplary arrangement ofessential parts of software relating to network communications carriedout by the MFP.

FIG. 4 is a block diagram schematically showing a specific exemplarymodule structure of a network stack.

FIG. 5 is a diagram useful in outlining the format of an ICMP packet.

FIG. 6 is a flowchart useful in explaining an exemplary operation of anICMP determination module in the MFP.

FIG. 7 is a flowchart useful in explaining a determination process instep S604 in FIG. 6.

FIG. 8 is a flowchart useful in explaining a determination process instep S605 in FIG. 6.

FIG. 9 is a view showing an exemplary setting screen displayed on aconsole of the MFP so that a user can set determination conditions usedin step S701 in FIG. 7 and step S801 in FIG. 8.

DESCRIPTION OF THE EMBODIMENTS

The present invention will now be described in detail with reference tothe drawings showing embodiments thereof.

FIG. 1 is a diagram schematically showing an exemplary arrangement of anetwork including an MFP which is a communication apparatus according toan embodiment of the present invention.

Referring to FIG. 1, the MFP 101 according to the present embodiment hasa network communication function of communicating with a PC (personalcomputer) 102 and a PC 104 via a LAN 103 and a LAN 106, which isconnected to the LAN 103 via a router 105. The MFP 101 has an IP address192.168.1.50, and the PC 102 and the PC 104 have an IP address192.168.1.100 and an IP address 192.168.2.10, respectively. The PC 102and the PC 104 are equipped with an application for processing Pingcommands as well as a universal OS.

FIG. 2 is a block diagram schematically showing an exemplary arrangementof a controller unit in the MFP 101.

As shown in FIG. 2, the controller unit 2000 provides control so as torealize a function of causing a printer 2095 to print out image datascanned in by a scanner 2070. Also, by establishing connection with theLAN 103, the controller unit 2000 provides control so as to input andoutput image information and device information.

A CPU 2001 of the controller unit 2000 boots an OS with a boot programstored in a ROM 2003, and on the OS, executes application programsstored in an HDD 2004 to carry out various kinds of processing. A RAM2002 is used as a work area for the CPU 2001 and as an image memory areafor temporarily storing image data. The HDD 2004 stores applicationprograms and image data.

A console I/F 2006, a network I/F 2010, a modem 2050, and an image busI/F 2005 are connected to the CPU 2001 via a system bus 2007.

The console I/F 2006 is an interface to a console 2012 having a touchpanel and others, and outputs image data, which is to be displayed onthe console 2012, to the console 2012. The console I/F 2006 outputsinformation, which is input by a user via the console 2012, to the CPU2001.

The network I/F 2010 inputs and outputs information to and from otherapparatuses, which are connected to the LAN 103, via the LAN 103. Themodem 2050 is connected to a public line, not shown, via a WAN 1007 toinput and output information.

The image bus I/F 2005 is a bus bridge for connecting the system bus2007 and an image bus 2008, which transfers image data at high speed, toeach other, and converting data structures. The image bus 2008 iscomprised of a PCI bus or IEEE 1394. A RIP (raster image processor)2060, a device I/F 2020, a scanner image processing unit 2080, a printerimage processing unit 2090, an image rotation unit 2030, and an imageprocessing unit 2040 are connected to the image bus 2008.

The RIP 2060 is a processor which expands a PDL code into a bitmappedimage. The scanner 2070 and the printer 2095 are connected to the deviceI/F 2020, and the device I/F 2020 carries out synchronous/asynchronoustransformation of image data. The scanner image processing unit 2080corrects, processes, and edits input image data.

The printer image processing unit 2090 carries out printer correction,resolution conversion, and so on with respect to printout image data.The image rotation unit 2030 rotates image data. The image processingunit 2040 compresses multivalued image data into JPEG data andcompresses binary image data into JBIG data, MMR data, MH data, and soon, and expands them.

FIG. 3 is a diagram schematically showing an exemplary arrangement ofessential parts of software relating to network communications carriedout by the MFP 101.

Referring to FIG. 3, an application 301 is a set of network applicationsoperating on the MFP 101. A socket I/F 302 is a socket I/F programoffered by the OS. When a network application included in theapplication 301 is to carry out communication, the socket I/F 302 iscalled to enable such processing as transmission and receipt of data.

A socket I/F is a program that is not always required when a networkapplication carries out communication, but is able to reduce man-hoursfor application development because it can use universal programinstructions and processing flows irrespective of OS type. Thus, anetwork application generally transmits and receives data by calling asocket I/F. A network stack 303 is a protocol stack group. A networkdriver 304 is a device driver for the network I/F 2010.

FIG. 4 is a block diagram schematically showing an exemplary modulestructure of the network stack 303.

An ARP management module 406 is a software module that controls aprotocol called ARP (address resolution protocol). An IP managementmodule 405 is a software module that controls a protocol called IP(internet protocol).

A TCP management module 401 is a software module that controls aprotocol called TCP (transmission control protocol). A UDP managementmodule 402 is a software module that controls a protocol called UDP(user datagram protocol).

An ICMP management module 403 is a software module that controls aprotocol called ICMP (internet control message protocol). The ICMPmanagement module 403 receives an ICMP Echo Request packet via thenetwork I/F 2010 through the IP management module 405 and an ICMPdetermination module 404.

Then, in response to the received ICMP Echo Request packet, the ICMPmanagement module 403 provides transmission control to send back an ICMPEcho Reply packet.

The ICMP determination module 404 is a software module that providescontrol to analyze an ICMP packet received from the IP management module405, and determines whether or not to pass the ICMP packet to the ICMPmanagement module 403 according to determination conditions determinedin advance.

FIG. 5 is a diagram useful in outlining the format of an ICMP packet.

An ICMP packet is included in an IP packet 501, and data is stored in anICMP format in an IP payload portion 505.

In the IP packet 501, a destination IP address is stored as adestination address 502, a source IP address is stored as a sourceaddress 503, and data on control of an IP packet is stored as an option504.

The IP payload portion 505 is a data portion of an IP packet, in whichdata is stored in a format determined by each of protocols such as ICMP,TCP, and UDP.

ICMP Type 506 stores data indicative of an ICMP type and identifieswhether or not an ICMP packet is ICMP Echo. In ICMP Code 507, Checksum508, and Option 509, data determined in an ICMP format in advance isstored, although description thereof is omitted.

In the IP payload portion 505, data determined by ICMP Type 506 isstored, but in the case of an ICMP Echo packet, data stored in an ICMPpayload portion 510 is not particularly determined.

Referring next to FIGS. 6 to 8, a description will be given of how theICMP determination module 404 operates in the MFP 101 according to thepresent embodiment. Processes in FIGS. 6 to 8 are carried out by the CPU2001 in accordance with programs stored in the HDD 2004 or the like ofthe MFP 101 and loaded into the RAM 2002.

First, when a network packet received by the IP management module 405via the network I/F 2010 and the network driver 304 is an ICMP packet,the ICMP packet is passed to the ICMP determination module 404, and aprocess in step S601 in FIG. 6 is started.

Referring to FIG. 6, in the step S601, the CPU 2001 uses the ICMPdetermination module 404 to determine whether or not the received ICMPpacket is an ICMP Echo Request packet.

Upon determining that the received ICMP packet is not an ICMP EchoRequest packet, the CPU 2001 proceeds to step S606, and upon determiningthat the received ICMP packet is an ICMP Echo Request packet, the CPU2001 proceeds to step S602.

In the step S606, the CPU 2001 passes the ICMP packet received in thestep S601 to the ICMP management module 403, and returns to the stepS601.

Here, the ICMP management module 403 provides transmission controldefined by the ICMP protocol for the received ICMP packet. Namely, whenthe received ICMP packet is an ICMP Echo Request packet, the ICMPmanagement module 403 provides transmission control to send back an ICMPEcho Reply packet. When the received ICMP packet is not an ICMP EchoRequest packet, the ICMP management module 403 carries out processingsuitable for the received ICMP packet.

In the step S602, the CPU 2001 analyzes data stored in the sourceaddress 503 and the ICMP payload portion 510 of the received ICMP EchoRequest packet, and proceeds to step S603.

In the step S603, the CPU 2001 carries out a network determinationprocess so as to determine whether or not the source address 503 is thesame network address as that of the MFP 101.

Here, in a case where the ICMP Echo Request packet is transmitted fromthe PC 102, the source address 503 is 192.168.1.100. In this case, theCPU 2001 determines that the source address 503 is the same networkaddress as that of the MFP 101, and proceeds to step S604. In a casewhere the ICMP Echo Request packet is transmitted from the PC 104, thesource address 503 is 192.168.2.10. In this case, the CPU 2001determines that the source address 503 is different from the networkaddress of the MFP 101, and proceeds to step S605.

In the step S604, the CPU 2001 carries out a transmission determinationprocess so as to determine whether or not the ICMP Echo Request packetmatches a determination condition used in a case where the ICMP EchoRequest packet is transmitted from the same network as that of the MFP101.

Upon determining that the ICMP Echo Request packet matches thedetermination condition, the CPU 2001 proceeds to step S606, in which itcarries out the same process as described above, and upon determiningthat the ICMP Echo Request packet does not match the determinationcondition, the CPU 2001 suspends the process on the ICMP packet andreturns to the step S601. The details of the determination processcarried out here will be described later with reference to FIG. 7.

On the other hand, in the step S605, the CPU 2001 carries out atransmission determination process so as to determine whether or not theICMP Echo Request packet matches a determination condition used in acase where the ICMP Echo Request packet is transmitted from a networkdifferent from that of the MFP 101 (outside the same network).

Upon determining that the ICMP Echo Request packet matches thedetermination condition, the CPU 2001 proceeds to the step S606, inwhich it carries out the same process as described above, and upondetermining that the ICMP Echo Request packet does not match thedetermination condition, the CPU 2001 suspends the processing on theICMP packet and returns to the step S601. The details of thedetermination process carried out here will be described later withreference to FIG. 8.

Referring next to FIG. 7, a description will be given of thedetermination process in the step S604 in FIG. 6.

In step S701, the CPU 2001 determines what determination condition hasbeen set by user's operation on the console 2012.

Specifically, when the determination condition is a data length of theICMP payload portion 510, the CPU 2001 proceeds to step S702, when thedetermination condition is the source address 503, the CPU 2001 proceedsto step S703, and when the determination condition is the number ofreceipts, the CPU 2001 proceeds to step S704.

In the step S702, the CPU 2001 determines whether or not the data lengthof the ICMP payload portion 510 of the ICMP Echo Request packet matchesa data length set by the user.

Then, upon determining that the data length of the ICMP payload portion510 matches the data length set by the user, the CPU 2001 proceeds tothe step S606, and upon determining that the data length of the ICMPpayload portion 510 does not match the data length set by the user, theCPU 2001 returns to the step S601.

In the step S703, the CPU 2001 determines whether or not the sourceaddress 503 in the ICMP Echo Request packet matches an IP address set bythe user.

Then, upon determining that the source address 503 matches the IPaddress set by the user, the CPU 2001 proceeds to the step S606, andupon determining that the source address 503 does not match the IPaddress set by the user, the CPU 2001 returns to the step S601.

In the step S704, the CPU 2001 counts up the number of times the ICMPEcho Request packet has been received with respect to each sourceaddress 503, and proceeds to step S705.

In the step S705, the CPU 2001 determines whether or not the number oftimes the ICMP Echo Request packet has been received is equal to or morethan the number of times (N) set by the user.

Then, upon determining that the number of times the ICMP Echo Requestpacket has been received is equal to or more than the number of times(N) set by the user, the CPU 2001 proceeds to the step S606, and upondetermining that the number of times the ICMP Echo Request packet hasbeen received is less than the number of times (N) set by the user, theCPU 2001 returns to the step S601.

Referring next to FIG. 8, a description will be given of thedetermination process in the step S605 in FIG. 6.

In step S801, the CPU 2001 determines what determination condition hasbeen set by user's operation on the console 2012.

Specifically, when the determination condition is a data pattern of theICMP payload portion 510, the CPU 2001 proceeds to step S802, and whenthe determination condition is user authentication, the CPU 2001proceeds to step S803.

In the step S802, the CPU 2001 determines whether or not data in theICMP payload portion 510 of the ICMP Echo Request packet matches a datapattern set by the user.

Then, upon determining that data in the ICMP payload portion 510 matchesthe data pattern set by the user, the CPU 2001 proceeds to the stepS606, and upon determining that data in the ICMP payload portion 510does not match the data pattern set by the user, the CPU 2001 returns tothe step S601.

In the step S803, the CPU 2001 decrypts encrypted user ID and passwordstored in the ICMP payload portion 510 of the ICMP Echo Request packet,and proceeds to step S804.

In the step S804, the CPU 2001 carries out user authentication using theuser ID and the password decrypted in the step S803. When the user issuccessfully authenticated, the CPU 2001 proceeds to the step S606, andwhen the user is unsuccessfully authenticated, the CPU 2001 returns tothe step S601.

FIG. 9 is a view showing an exemplary setting screen 901 displayed onthe console 2012 of the MFP 101 so that the user can set determinationconditions used in the step S701 in FIG. 7 and the step S801 in FIG. 8.

Referring to FIG. 9, ON 902 and OFF 903 are switches for selectivelydetermining whether or not to send back an ICMP Echo Reply packet inresponse to a received ICMP Echo Request packet.

When ON 902 is selected, “Always Respond 905” or “Conditionally Respond906” can be selected.

When “Always Respond 905” is selected, an ICMP Echo Reply packet isalways sent back. When “Conditionally Respond 906” is selected, “WithinSame Network 907” or “Outside Same Network 908” can be selected.

When “Within Same Network 907” is selected, a screen 909 is displayed onthe console 2012. When “Outside Same Network 908” is selected, a screen910 is displayed on the console 2012.

On the screen 909, one or more of “Payload Length 911”, “Number ofReceipts 912”, and “Specific Address 913” can be selected asdetermination conditions within the same network.

When “Payload Length 911” is selected, a screen (not shown) for settingan arbitrary payload length is displayed. When“Number of Receipts 912”is selected, a screen (not shown) for setting the arbitrary number ofreceipts is displayed. When “Specific Address 913” is selected, a screen(not shown) for setting an arbitrary IP address is displayed.

Here, “Payload Length 911” corresponds to the determination condition inthe step S702 in FIG. 7, “Number of Receipts 912” corresponds to thedetermination condition in the step S705 in FIG. 7, and “SpecificAddress 913” corresponds to the determination condition in the step S703in FIG. 7. These determination conditions have lower security levels ascompared to determination conditions outside the same network.

On the other hand, on the screen 910, one or both of “Data Pattern 914”and “User Authentication 915” can be selected as determinationconditions outside the same network.

When “Data Pattern 914” is selected, a screen (not shown) for setting anarbitrary data pattern is displayed. When “User Authentication 915” isselected, a screen (not shown) for setting a user ID and a password of auser permitted to be authenticated is displayed.

Here, “Data Pattern 914” corresponds to the determination condition inthe step S802 in FIG. 8, and “User Authentication 915” corresponds tothe determination condition in the step S804 in FIG. 8. Thesedetermination conditions have higher security levels as compared todetermination conditions inside the same network.

As described above, in the present embodiment, the user sets in advancedetermination conditions for judging whether or not to whether or not tosend back an ICMP Echo Reply in response to a received ICMP EchoRequest. Transmission is controlled so that when a received ICMP EchoRequest satisfies the determination conditions, an ICMP Echo Reply issent back, and when a received ICMP Echo Request does not satisfy thedetermination conditions, an ICMP Echo Reply is not sent back.

As a result, the presence of the MFP 101 cannot be confirmed for an ICMPEcho Request source that does not satisfy the determination conditions,and hence security can be improved. Moreover, communication status orthe like can be checked for an ICMP Echo Request source that satisfiesthe determination conditions, and hence convenience in networkcommunication using the ICMP Echo protocol can be ensured.

Moreover, in the present embodiment, conditions for determining whetheror not to send back an ICMP Echo Reply differ according to whether anICMP Echo Request source is an apparatus in the same network or outsidethe same network. Namely, when an ICMP Echo Request source is anapparatus in the same network, a relatively low security level is setfor determination conditions, and when an ICMP Echo Request source is anapparatus outside the same network, a relatively high security level isset for determination conditions.

As a result, convenience in communication check or the like can beenhanced for apparatuses in the same network, and security can befurther improved for apparatuses outside the same network.

Other Embodiments

Aspects of the present invention can also be realized by a computer of asystem or apparatus (or devices such as a CPU or MPU) that reads out andexecutes a program recorded on a memory device to perform the functionsof the above-described embodiment(s), and by a method, the steps ofwhich are performed by a computer of a system or apparatus by, forexample, reading out and executing a program recorded on a memory deviceto perform the functions of the above-described embodiment(s). For thispurpose, the program is provided to the computer for example via anetwork or from a recording medium of various types serving as thememory device (e.g., computer-readable medium).

While the present invention has been described with reference toexemplary embodiments, it is to be understood that the invention is notlimited to the disclosed exemplary embodiments. The scope of thefollowing claims is to be accorded the broadest interpretation so as toencompass all such modifications and equivalent structures andfunctions.

This application claims the benefit of Japanese Patent Application No.2010-226722 filed Oct. 6, 2010, which is hereby incorporated byreference herein in its entirety.

What is claimed is:
 1. A communication apparatus comprising: a receivingunit configured to receive a packet; a determination unit configured todetermine whether a source of the packet received by said receiving unitis an apparatus lying in the same network as a network in which thecommunication apparatus lies; a judgment unit configured to, accordingto a result of the determination by said determination unit, judgewhether to respond to the packet received by said receiving unit basedon a first judgment condition in a case where it is determined that thesource is the apparatus lying in the same network as the network inwhich the communication apparatus lies, and judge whether to respond tothe packet received by said receiving unit based on a second judgmentcondition in a case where it is determined that the source is not theapparatus lying in the same network as the network in which thecommunication apparatus lies; and a response unit configured to,according to a result of the judgment by said judgment unit, respond tothe packet received by said receiving unit.
 2. The communicationapparatus according to claim 1, further comprising: a setting unitconfigured to set the first judgment condition and the second judgmentcondition in accordance with an instruction from a user.
 3. Thecommunication apparatus according to claim 1, wherein the first judgmentcondition relates to at least one of the following: a payload length ofthe packet received by said receiving unit, a source address of thepacket received by said receiving unit, and the number of receipts ofthe packet received by said receiving unit.
 4. The communicationapparatus according to claim 1, wherein the second judgment conditionrelates to at least one of the following: a data pattern of the packetreceived by said receiving unit, and authentication of user informationincluded in the packet received by said receiving unit.
 5. Thecommunication apparatus according to claim 1, wherein the packetreceived by said receiving unit is an ICMP Echo packet.
 6. A controlmethod for a communication apparatus, comprising: a receiving step ofreceiving a packet; a determination step of determining whether a sourceof the packet received in said receiving step is an apparatus lying inthe same network as a network in which the communication apparatus lies;a judgment step of, according to a result of the determination in saiddetermination step, judging whether to respond to the packet received insaid receiving step based on a first judgment condition in a case whereit is determined that the source is the apparatus lying in the samenetwork as the network in which the communication apparatus lies, andjudge whether to respond to the packet received by said receiving stepbased on a second judgment condition in a case where it is determinedthat the source is not the apparatus lying in the same network as thenetwork in which the communication apparatus lies; and a response stepof, according to a result of the judgment in said judgment step,responding to the packet received in said receiving step.
 7. Acomputer-readable non-transitory storage medium storing a program forimplementing a control method for controlling a communication apparatus,the control method comprising: a receiving step of receiving a packet; adetermination step of determining whether a source of the packetreceived in said receiving step is an apparatus lying in the samenetwork as a network in which the communication apparatus lies; ajudgment step of, according to a result of the determination in saiddetermination step, judging whether to respond to the packet received insaid receiving step based on a first judgment condition in a case whereit is determined that the source is the apparatus lying in the samenetwork as the network in which the communication apparatus lies, andjudge whether to respond to the packet received by said receiving stepbased on a second judgment condition in a case where it is determinedthat the source is not the apparatus lying in the same network as thenetwork in which the communication apparatus lies; and a response stepof, according to a result of the judgment in said judgment step,responding to the packet received in said receiving step.